Primary

Context

vLLM Server-Side Request Forgery Vulnerability in MediaConnector Class

Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the vLLM project's MediaConnector class, specifically within its multimodal feature set. The vulnerability arises because the load_from_url and load_from_url_async methods retrieve and process media from user-supplied URLs without sufficient restrictions on the target hosts. This flaw enables attackers to manipulate the vLLM server into making arbitrary requests to internal network resources.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal network resources, allowing attackers to bypass access controls and potentially conduct network reconnaissance. Additionally, it could cause a denial-of-service by disrupting internal services.

Remediation

Users are advised to update the affected package as soon as possible.

Added: Oct 7, 2025, 8:17 PM

Updated: Oct 7, 2025, 8:17 PM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

0.6

exploitability

7.0

remediation

0.0

relevance

0.7

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

0.6

exploitability

7.0

remediation

0.0

relevance

0.7

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

vLLM Server-Side Request Forgery Vulnerability in MediaConnector Class

Vulnerability

Impact

Remediation

Affected Products

vLLM

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating